Skip to content

A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.

Notifications You must be signed in to change notification settings


Repository files navigation

alt tag


A collection of Burpsuite Intruder payloads, BurpBounty payloads (, fuzz lists and pentesting methodologies. To pull down all 3rd party repos, run in the same directory of the IntruderPayloads folder.

Author: -


  • Spiders, Robots and Crawlers IG-001
  • Search Engine Discovery/Reconnaissance IG-002
  • Identify application entry points IG-003
  • Testing for Web Application Fingerprint IG-004
  • Application Discovery IG-005
  • Analysis of Error Codes IG-006
  • SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CM‐001
  • DB Listener Testing - DB Listener weak CM‐002
  • Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CM‐003
  • Application Configuration Management Testing - Application Configuration management weakness CM‐004
  • Testing for File Extensions Handling - File extensions handling CM‐005
  • Old, backup and unreferenced files - Old, backup and unreferenced files CM‐006
  • Infrastructure and Application Admin Interfaces - Access to Admin interfaces CM‐007
  • Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CM‐008
  • Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-001
  • Testing for user enumeration - User enumeration AT-002
  • Testing for Guessable (Dictionary) User Account - Guessable user account AT-003
  • Brute Force Testing - Credentials Brute forcing AT-004
  • Testing for bypassing authentication schema - Bypassing authentication schema AT-005
  • Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-006
  • Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-007
  • Testing for CAPTCHA - Weak Captcha implementation AT-008
  • Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-009
  • Testing for Race Conditions - Race Conditions vulnerability AT-010
  • Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-001
  • Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-002
  • Testing for Session Fixation - Session Fixation SM-003
  • Testing for Exposed Session Variables - Exposed sensitive session variables SM-004
  • Testing for CSRF - CSRF SM-005
  • Testing for Path Traversal - Path Traversal AZ-001
  • Testing for bypassing authorization schema - Bypassing authorization schema AZ-002
  • Testing for Privilege Escalation - Privilege Escalation AZ-003
  • Testing for Business Logic - Bypassable business logic BL-001
  • Testing for Reflected Cross Site Scripting - Reflected XSS DV-001
  • Testing for Stored Cross Site Scripting - Stored XSS DV-002
  • Testing for DOM based Cross Site Scripting - DOM XSS DV-003
  • Testing for Cross Site Flashing - Cross Site Flashing DV-004
  • SQL Injection - SQL Injection DV-005
  • LDAP Injection - LDAP Injection DV-006
  • ORM Injection - ORM Injection DV-007
  • XML Injection - XML Injection DV-008
  • SSI Injection - SSI Injection DV-009
  • XPath Injection - XPath Injection DV-010
  • IMAP/SMTP Injection - IMAP/SMTP Injection DV-011
  • Code Injection - Code Injection DV-012
  • OS Commanding - OS Commanding DV-013
  • Buffer overflow - Buffer overflow DV-014
  • Incubated vulnerability - Incubated vulnerability DV-015
  • Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-016
  • Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-001
  • Locking Customer Accounts - Locking Customer Accounts DS-002
  • Testing for DoS Buffer Overflows - Buffer Overflows DS-003
  • User Specified Object Allocation - User Specified Object Allocation DS-004
  • User Input as a Loop Counter - User Input as a Loop Counter DS-005
  • Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-006
  • Failure to Release Resources - Failure to Release Resources DS-007
  • Storing too Much Data in Session - Storing too Much Data in Session DS-008
  • WS Information Gathering - N.A. WS-001
  • Testing WSDL - WSDL Weakness WS-002
  • XML Structural Testing - Weak XML Structure WS-003
  • XML content-level Testing - XML content-level WS-004
  • HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST WS-005
  • Naughty SOAP attachments - WS Naughty SOAP attachments WS-006
  • Replay Testing - WS Replay Testing WS-007
  • AJAX Vulnerabilities - N.A. AJ-001
  • AJAX Testing - AJAX weakness AJ-002


A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.







No releases published


No packages published

Contributors 4